Export Certificates and Keys
Focus
Focus
Next-Generation Firewall

Export Certificates and Keys

Table of Contents

Export Certificates and Keys

Palo Alto Networks devices can utilize digital certificates containing cryptographic keys and signatures for secure communications. These certificates authenticate users (Authentication Portal, MFA), devices (GlobalProtect/IPSec VPNs), validate EDLs, secure User-ID agent connections, and enable SSL traffic decryption. The XML API supports working with these certificates programatically. The API supports both default system certificates and custom certificates, allowing comprehensive visibility into certificate deployment across distributed Palo Alto Networks environments.
API-based certificate export functionality provides:
  • Automated extraction of certificate metadata (validity periods, key sizes, algorithms)
  • Bulk export capabilities for certificate inventory management
  • Structured data format (JSON/XML) for integration with PKI systems
  • Monitoring of certificate expiration status across device groups
  • Export filters by certificate type, usage, or expiration threshold
  • Inclusion of certificate revocation status and CRL information
Use the following procedure to export certificates and keys.
  1. To export certificates and keys, specify query parameterscertificate-name,format, andpassphrase:
    https://<firewall>/api/?key=apikey&type=export&category=<certificate> &certificate-name=<certificate_name> &passphrase=<passphrase> &format=<pkcs12><pem><pkcs10> &include-key=<yes><no>&vsys=<vsys> <omit this parameter to import it into a shared location>
    • certificate-name—name of the certificate object on the firewall
    • passphrase—required when including the certificate key
    • format—certificate format:pkcs12,pem, orpkcs10
    • include-key—yes or no parameter to include or exclude the key
    • vsys—virtual system where the certificate object is used. Ignore this parameter if the certificate is a shared object.
    You can use the example above to export a certificate signing request (CSR). If you do so, then specify the following two parameters as shown:
    • formatpkcs10
    • include-keyno
  2. Confirm that the XML response includes the certificate:
    -----BEGIN CERTIFICATE----- MIIDXTCCAkWgAwIBAgIJAJC1HiIAZAiIMA0GCSqGSIb3Df BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVx aWRnaXRzIFB0eSBMdGQwHhcNMTExMjMxMDg1OTQ0WhcNMT <!-- TRUNCATED --> -----END CERTIFICATE-----